User Manual SEB Windows (until Version 1.7.1)
|
English Deutsch |
Configuration Files
There are two configuration files for SEB: SebStarter.ini (until SEB 1.5.1 called Seb.ini) and MsgHook.ini. Here's where they are located:
- until SEB Windows 1.2.1:
in the same folder as the program executable Seb.exe. If e.g. seb_1.2.1_win.zip was unzipped into the folder
C:\Users\Username\tmp, then the ini files lie in lie in the folder
C:\Users\Username\tmp\seb_1.2.1_win\SEB - in SEB Windows 1.3.x and 1.4.x:
one directory above Seb.exe. If e.g. seb_1.3.4_win.zip was unzipped into the folder
C:\Users\Username\tmp, then the ini files lie in lie in the folder
C:\Users\Username\tmp\seb_1.3.4_win - in SEB Windows 1.5 and 1.5.1:
in the program directory, e.g.
C:\Program Files\ETH Zuerich\SEB Windows 1.5.1\Seb - beginning with SEB Windows 1.6, under Windows XP:
in the common application data folder, e.g.
C:\Documents and Settings\All Users\Application Data\ETH Zuerich\SEB Windows 1.7 - beginning with SEB Windows 1.6, under Windows 7:
in the program data directory, e.g.
C:\ProgramData\ETH Zuerich\SEB Windows 1.7
Beginning with SEB Windows 1.6, the SEB Client can write log files, which are helpful for analysis of eventual problems when running SEB. To accomplish this, the option LOGFILE=1 must be set in the SebStarter.ini and in the MsgHook.ini file, respectively. When running the SEB Client, the log files SebStarter.log and MsgHook.log are written into the same directory as their corresponding ini files.
In order to configure SEB for an online exam, the teacher must edit both .ini files using an arbitrary text editor like Notepad.
SebStarter.ini is the primary configuration file. Here is a working example for SEB Windows 1.7:
[SEB]
HOOK_DLL=MsgHook.dll
MESSAGE_HOOK=1
EDIT_REGISTRY=1
FORCE_WINDOWS_SERVICE=1
ALLOW_VIRTUAL_MACHINE=0
REG_HIDE_FAST_USER_SWITCHING=1
REG_DISABLE_LOCK_WORKSTATION=1
REG_DISABLE_TASKMGR=1
REG_DISABLE_CHANGE_PASSWORD=1
REG_NO_CLOSE=1
REG_NO_LOGOFF=1
REG_ENABLE_SHADE=0
REG_ENABLE_EASE_OF_ACCESS=0
WIN9X_KILL_EXPLORER=1
WIN9X_SCREENSAVERRUNNING=0
NEW_DESKTOP=1
SHOW_SEB_APP_CHOOSER=1
STRONG_KILL_PROCESSES_BEFORE=
STRONG_KILL_PROCESSES_AFTER=
PERMITTED_APPS=Calculator,calc.exe;Notepad,notepad.exe;
SEB_BROWSER=Seb,../xulrunner/xulrunner.exe ../xul_seb/application.ini
AUTOSTART_PROCESS=Seb
SHUTDOWN_AFTER_AUTOSTART_PROCESS_TERMINATES=0
PROC_MONITORING=0
LOG_FILE=0
URL_EXAM=http://www.safeexambrowser.org/
Important options of the SebStarter.ini file:
ALLOW_VIRTUAL_MACHINE
determines if the SEB Client is allowed to run on a Virtual Machine (e.g. for exams in virtual desktop environments) or not (in order to prevent potential manipulations).
FORCE_WINDOWS_SERVICE
determines if the SEB Client shall run only in conjunction with the SEB Windows Service. The purpose of the SEB Windows Service will be explained in the following:
Some values stored in the Windows Registry database do influence the system behaviour of Windows, and thus the security of online exams. Beginning with Windows Vista, these options are displayed in the Windows Security Screen with the blue desktop background, which appears when pressing the key combination Ctrl_Alt_Del. (Until Windows XP, pressing Ctrl_Alt_Del directly invoked the Task Manager).
Usually, these options should all be disabled for an online exam, in order to prevent from manipulations or from accessing forbidden resources. This particularly holds for the Task Manager, since programs can be terminated or started from within that tool. Hence all values are set to HIDE...=1, DISABLE...=1 und ENABLE...=0 by default.
Until Windows XP, the user was usually logged in as an Administrator, so the SEB client (Seb.exe) could set the Windows Registry values by itself, since it had the necessary rights to do so.
In Windows Vista and Windows 7, the users (hence also the examinees) are for security reasons urged to logging in as Standard User rather than as Administrator. However, a SEB Client started by a Standard User does not have the necessary rights to set the Windows Registry values.
A SEB Windows Service, running as a background process, is therefore indispensable, which takes over this task. Beginning with SEB Windows 1.5, this service is delivered in a .msi file together with the SEB Client, and installed automatically by the Microsoft Installer. Beginning with SEB Windows 1.5.1, the service is also automatically started. The SEB Windows Service does also work under Windows XP, even though not being mandatory here.
The Windows Registry values one by one:
REG_HIDE_FAST_USER_SWITCHING
deactivates the button "Benutzer wechseln" or "Switch User", respectively
REG_DISABLE_LOCK_WORKSTATION
deactivates the button "Computer sperren" or "Lock this computer", respectively
REG_DISABLE_TASK_MGR
deactivates the button "Task-Manager starten" or "Start Task Manager", respectively
REG_DISABLE_CHANGE_PASSWORD
deactivates the button "Kennwort ändern..." or "Change a password...", respectively
REG_NO_CLOSE
deactivates the button "Herunterfahren" or "Shutdown" in the lower right corner
REG_NO_LOGOFF
deactivates the button "Abmelden" or "Log off", respectively
REG_ENABLE_EASE_OF_ACCESS
activates the button "Erleichterter Zugriff" or "Ease of Access" in the lower left corner, which offers help e.g. to visually or aurally handicapped persons, like the Magnifier Glass.
REG_ENABLE_SHADE
activates the "Shade" bar at the upper edge of a virtual desktop, if existent.
Further options, not belonging to the Windows Security Options:
NEW_DESKTOP
defines whether the SEB Client shall be executed in a newly created desktop window (in fullscreen mode), such that e.g. the task bar and the start menu at the bottom edge of the screen are blanked out.
SHOW_WINKEYOX (until version 1.3) or SHOW_SEB_APP_CHOOSER (since version 1.4)
defines whether after starting SEB, a popup window for permitted third-party applications appears in the upper left corner when Alt_Tab is pressed. For exams with third-party applications, this value must be set to 1, for exams without third-party applications, one can relinquish this popup window and set the value to 0.
PROCESSES (until version 1.3) or PERMITTED_APPS (since version 1.4)
defines the permitted third-party applications. SEB can run in conjunction with other programs, e.g. the Calculator or Notepad, both of which are set by default. In that case, the popup window for selection of third-party applications must be activated (set SHOW_SEB_APP_CHOOSER or SHOW_WINKEYOX to 1, respectively) and these third-party applications must be added to PROCESSES or PERMITTED APPS, respectively. They must have the following format:
[application1,
Path-to-application1/application1-name;application2,Path-to-application2/application2-name;application3,
Path-to-application3/application3-name].
The applications are separated from each other by semicolons. From Version 1.7, you can alternatively enter the paths in the SebStarter.bat script file. The format then looks like this:
...
set PermittedAppDir1="%ProgramFiles%\VMware\VMware View\Client\bin
set PermittedAppDir1(x86)="%ProgramFiles(x86)%\VMware\VMware View\Client\bin"
...
path %path%;%PermittedAppDir1%
path %path%;%PermittedAppDir1(x86)%
...
SebStarter.exe
...
In this case, SEB must be started by double-click on SebStarter.bat rather than SebStarter.exe. The script enhances the environment variable PATH by the paths to the third-party applications and then calls SEB.
AUTOSTART_PROCESS
defines an automatically starting process. Usually, this is the SEB client (AUTOSTART_PROCESS=Seb) in conjunction with a browser component. Until version 1.3, this was the Portable Firefox, which was inserted in addition to the third-party applications in the line PROCESSES=... . Since version 1.4, it is the XULRunner, which must be inserted in the line SEB_BROWSER=... .
Special scenario:
If you want to use SEB only as a pure kiosk application without browser, e.g. in order to secure a local exam application without a Learning Management System, then you must set AUTOSTART_PROCESS= (without the word "Seb"). In the Portable Firefox versions, you must additionally remove the call of SEB from the line PROCESSES=... .
PROC_MONITORING
When activated, all running applications and processes are observed. In case someone tries to launch a non-permitted application (no entry in PROCESSES), this application is stopped. Hint: sometimes this option causes problems; thus it should be deactivated in case of doubt (set PROC_MONITORING=0).
MESSAGE_HOOK
When activated, SEB intercepts key combinations like Alt_F4
or right mouse-click. In the configuration file MsgHook.ini , you can define in detail which key combinations to allow and which not. Here is a typical example:
DISABLE_CTRL_ESC=1
DISABLE_ALT_TAB=1
DISABLE_ALT_ESC=1
DISABLE_ALT_F4=1
DISABLE_START_MENU=1
DISABLE_RIGHT_MOUSE=1
DISABLE_F1=1
DISABLE_F2=1
DISABLE_F3=1
DISABLE_F4=1
DISABLE_F5=1
DISABLE_F6=1
DISABLE_F7=1
DISABLE_F8=1
DISABLE_F9=1
DISABLE_F10=1
DISABLE_F11=1
DISABLE_F12=1
DISABLE_ESCAPE=1
B1=114
B2=122
B3=117
LOG_FILE=0
KILL_CALLER_HOTKEY=Safe Exam Browser 1.6.1
In the example above, all key combinations are disabled (DISABLE=1).
That means with this configuration, no shortkeys are allowed.
One exception is the SEB exit sequence, which allows for finishing the SEB at any point of time. It is a combination of three function keys which must be pressed in a certain order and then held down simultaneously (just like Ctrl_Alt_Del for calling the Windows Security Screen or the Task Manager). By default, the SEB exit sequence is set to F3_F11_F6, which means the user must press the three function keys F3, F11, F6 in this exact order, and then keep them pressed for a moment.
The SEB exit sequence can be customised in MsgHook.ini by setting the variables B1, B2 and B3. The function keys F1, F2, ..., F12 are coded as decimal values (virtual key codes) according to the following table:
| Function key | Code |
|---|---|
| F1 | 112 |
| F2 | 113 |
| F3 | 114 |
| F4 | 115 |
| F5 | 116 |
| F6 | 117 |
| F7 | 118 |
| F8 | 119 |
| F9 | 120 |
| F10 | 121 |
| F11 | 122 |
| F12 | 123 |
If we now set the variable B1 to 115:
B1=115
the first function key to be pressed changes from F3
to F4, since we changed the first variable
B1,
and 115 is the decimal value for the virtual key code for F4.
Since we did not change B2 and B3, the second and third function key
are left intact, so in summary the SEB exit sequence changes from the default
sequence F3_F11_F6 to the custom sequence F4_F11_F6.
With B2 and B3, you can change the other two function keys
of the SEB exit sequence as well, for example the values
B1=115
B2=116
B3=117
will change the SEB exit sequence to F4_F5_F6.
Remark: If third-party applications shall be admitted in SEB, you also have to admit the shortkey Alt_Tab by setting
DISABLE_ALT_TAB=0
in MsgHook.ini, as well as setting
SHOW_WINKEYOX=1 or SHOW_APP_CHOOSER=1
in SebStarter.ini. In SEB, you must then press Alt_Tab, which will launch the "Permitted Applications" popup window, from which you can choose the desired third-party application.
Certificates
In SEB using XULRunner (version 1.4 and above) problems with SSL certificates can occur:
- If your secured site is using certificates which are generally trusted by
browsers like Firefox, there might be a problem with SEB XULRunner. The
problem occurs when your server certificate is signed by an intermediate
certificate of any trusted certification authority. In that case the whole
issuer chain must be provided to the browser for validation. You might have
to ask your server administrator to change their settings to solve the
problem.
For further information please consult the documentation of your webserver: Apache 2.2, IIS. - Self-signed certificates need to be imported into SEB's XULRunner. Since XULRunner doesn't provide an easy way to add exceptions for not generally trusted certificates, you can open the page in Firefox, accept the certificate, then copy the file cert_override.txt to the XULRunner application profile.
Connect Browser and Test
Before you start SEB, you should define the starting page of your online exam, and what keyboard shortcuts should be suppressed by SEB during the online exam. The latter have been described in the Configuration Files section above. At first, you can use the default values already given in the downloaded SEB.
How to change the start URL of SEB depends on whether you are using a Portable Firefox SEB (until version 1.3.4) or a XULRunner SEB (beginning from version 1.4.1):
SEB with Portable Firefox
- Close any already running Firefox browser.
- Open the subdirectory SebFirefox\ and double-click on the file start-firefox.bat:
- In the field Start URL, enter the URL to your LMS installation or a direct link to the test:
- Click OK and then close the window.
SEB with XULRunner
- Open the file SebStarter.ini with an arbitrary text editor.
- Set the parameter URL_EXAM to the desired address, for example
URL_EXAM=http://quiz.safeexambrowser.org
LMS Extensions
In order to use Safe Exam Browser, current versions of ILIAS and Moodle do not need extensions anymore. The connectivity to SEB is already included in these LMS. In case an older ILIAS version is used, you can find informations on installing the "Naviless" skin in ILIAS in the ILIAS Information Center. And for older Moodle versions, you can find informations on installing the extension in the Readme file attached to the the download file.